Please help me understand why right answer is the right one?

A seemingly simple question:
A security policy which will remain relevant and meaningful over time
includes the following:
A. Directive words such as shall, must, or will, technical specifications and
is short in length
B. Defined policy development process, short in length and contains
directive words such as shall, must or will
C. Short in length, technical specifications and contains directive words
such as shall, must or will
D. Directive words such as shall, must, or will, defined policy development
process and is short in length

I chose B but answer is something else. Can anyone please explain what is difference between B and D?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

lucky0977

This question looks like something from transcender, which makes their questions harder than the actual exam. The only thing I can see is the key word "contains" in question B. Question D doesn't have the word "contains", which indicates that directive words such as shall , must or will are mandatory.

kabooter

lucky0977 wrote: »

This question looks like something from transcender, which makes their questions harder than the actual exam. The only thing I can see is the key word "contains" in question B. Question D doesn't have the word "contains", which indicates that directive words such as shall , must or will are mandatory.

Holy mother of Jesus!
For the life of me I could not notice the "contains" difference between B and D. In any case both pretty much mean same thing. This is what I find very discouraging. If these are the kind of questions they are going to put up in test, then god save the queen!
PS Its from Chap 1 of Official Official ISC2 Book.

lucky0977

Well to be honest, if you read a lot of threads where people have passed, you'll notice that they mention that you should should read the questions and answers carefully and multiple times. When I took mine, I read the question the 1st time and was like WTF is this? Then after re-reading again a 2nd or 3rd time, you could understand more and find keywords that hint at the correct answer.

This is a test like no other ( 50% reading comprehension & 50% actual security related) and a test I hope I never have to take again.

OctalDump

It's just another bad question. There isn't a real semantic difference between those two options both require that the security policy contains/includes directive words.

The annoying thing is that there doesn't appear to be a reference to directive words elsewhere in the CBK (or official study guide). But maybe I'm not looking hard enough.

I'd say don't worry about whether the answer is B or D, and just know the content. A and C are the same thing as well, and the only difference really between all four is "technical specifications" vs "policy development process".

Others have commented that the book content is better than its practice questions. It certainly wouldn't be the first book where the answers are wrong, or the questions bad...

EDIT

I've found a clearer statement of what Security Policies should have in the 3rd edition of the Guide to the CBK - page 495. But can't find the corresponding detail in the 4th edition...

The 3rd edition contains this exact same question, though... maybe they copied questions but not the content that the question is meant to test